JP2009042850A - Control device for vehicle, and device for updating vehicle control program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a control device for vehicle which appropriately controls a vehicle without increasing the capacity of a program to be stored so much even when a vehicle control program is not normally updated, and to provide a device for updating a vehicle control program. <P>SOLUTION: The control device for vehicle is provided with: a vehicle control program PRN stored in a rewritable area ARP; a boot program PRN stored in an non-rewritable area ARIP; a fail/safe control program PRF whose capacity is smaller than the vehicle control program; a vehicle control program updating means 15 for updating the vehicle control program; and a control means 15 for executing the boot program PRB when a control device 2 is started, and for executing the vehicle control program when it is decided that the update of the vehicle control program has been normally completed, and for executing the fail/safe control program PRF when it is decided that the update has not been normally completed. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a vehicle control device that controls a vehicle, and a vehicle control program update device used in the control device.

  As a conventional vehicle control device, for example, one disclosed in Patent Document 1 is known. This control device includes a nonvolatile flash memory in which a communication program is stored in an initial state, a microcomputer having a volatile RAM, and a power source for supplying power to the microcomputer, and is connected to a communication terminal. . The communication terminal stores an application program for controlling the vehicle, and this application program is transferred to the microcomputer. The microcomputer controls the vehicle by writing and storing the application program in the flash memory and executing it. The application program is written to the flash memory as follows.

  First, based on the communication program stored in the flash memory, after enabling serial communication with the communication terminal, the communication program, rewrite software, communication abnormality determination software and save software are received from the communication terminal, Store in RAM. Next, after erasing all the programs including the communication program stored in the flash memory based on the rewriting software, the application program is sequentially received from the communication terminal and written into the flash memory. At this time, it is determined whether there is a communication error with the communication terminal based on the communication error determination software. If there is a communication error, the communication program is sent to the flash memory based on the save software. , Remember. As described above, if a communication error occurs during reception of the application program, the communication program is stored in the flash memory even if the power to the microcomputer is cut off. Communication with the communication terminal becomes possible based on the program, and transfer and writing of the application program are performed again.

  However, in the above-described conventional control device, when a communication abnormality occurs between the communication terminal and the microcomputer, the application program cannot be transmitted to the flash memory and stored. Therefore, the application program can be executed based on that The vehicle cannot be controlled. As a result, even if the driver or the like wants to move the vehicle, it cannot be moved. Further, in this control device, even if the communication abnormality occurs and returns to a normal state, the vehicle cannot be controlled until the writing of the application program is completed. In particular, when the capacity of the application program is large, it takes a long time to write the program, and the vehicle cannot be controlled during that time.

  Further, as a control device for controlling a base station, for example, one disclosed in Patent Document 2 is known. This control device includes a memory card and a download storage area, and is connected to a higher station. The memory card is composed of a first memory unit and a second memory unit, and a control program for controlling the base station is stored in these memory units. The control program stored in the first memory unit is a control program one generation before the second memory unit. Each of the first and second memory units is provided with a determination bit area indicating whether or not the control program has been updated normally.

  In this control apparatus, when a control program for update (hereinafter referred to as “update program”) is transferred from the upper station, the control program in the second memory unit of the memory card is rewritten and updated with the update program. Specifically, the update program from the upper station is stored in the download storage area. Next, after the information in the determination bit area of the second memory unit of the memory card is rewritten to be invalid, the update program is transferred from the download storage area to the second memory unit and stored therein. Thereby, the control program of the second memory unit is updated. Further, when the control program is updated normally, the information in the determination bit area of the second memory unit is effectively rewritten. On the other hand, when the update is not performed normally, the information in the determination bit area is not rewritten. Retained invalid.

  Further, in this control apparatus, when the determination bit area of the second memory unit is valid, the base station is controlled based on the control program of the second memory unit. On the other hand, when the determination bit area of the second memory unit is invalid, the determination bit area of the first memory unit is determined. When the determination bit area is valid, the base station is controlled based on the control program of the first memory unit. To do. As described above, when the control program in the second memory unit is not normally updated, the base station is controlled based on the control program in the first memory unit.

  However, in this conventional control device, the control programs before and after the update are stored in the first memory unit and the second memory unit, respectively, so the capacity to be stored is almost twice that of the individual control programs, which is very large. A memory card with a capacity is required. Further, when the control program of the first memory unit is updated along with the update of the control program of the second memory unit, for example, the addresses assigned to the first memory unit and the second memory unit are assigned to the respective address spaces. It is necessary to replace each other in accordance with the above, and the processing becomes very complicated.

  The present invention has been made to solve such a problem. Even when the vehicle control program is not updated normally without increasing the capacity of the stored program, the vehicle is appropriately It is an object of the present invention to provide a vehicle control device and a vehicle control program update device that can be controlled automatically.

JP-A-11-7381 Japanese Patent No. 2998449

  In order to achieve the above object, a vehicle control apparatus according to a first aspect of the present invention is a non-volatile memory having a rewritable area ARP and a non-rewritable area ARIP (flash ROM 14 in the embodiment (hereinafter the same in this section)). Are stored in the rewritable area ARP and stored in the rewritable area ARIP, and the vehicle control program is normally updated. A boot program PRB for determining whether the vehicle V has been stored, a fail-safe control program PRF for fail-safe control of the vehicle V, which is stored in the non-rewritable area ARIP, has a smaller capacity than the vehicle control program, Vehicle control program updating means (CPU for updating vehicle control program) 5, step 2 in FIG. 3, steps 14 and 15 in FIG. 4, and the boot program PRB is executed when the control device (ECU 2) is activated, and according to the determination result of the execution, When it is determined that the update has been normally performed, the vehicle control program is executed, and when it is determined that the update of the vehicle control program has not been normally performed, the fail safe control program PRF is executed. And a control means (CPU 15, steps 3 to 5 in FIG. 3).

  The vehicle control device includes a nonvolatile memory, and a rewritable area of the nonvolatile memory stores a vehicle control program, and the non-rewritable area includes a boot program and a vehicle control program. A fail-safe control program having a small capacity is stored. These programs are executed under the control of the control means. The vehicle control program is updated by the vehicle control program update means when the control device is operated.

  When the control device is activated, a boot program is first executed, thereby determining whether or not the vehicle control program has been updated normally. When it is determined that the update of the vehicle control program is normally performed according to the determination result, the vehicle is normally controlled by executing the vehicle control program. On the other hand, when it is determined that the vehicle control program is not normally updated, the vehicle is subjected to failsafe control by executing the failsafe control program.

  Since the fail-safe control program is stored in the non-rewritable area and is not rewritten or deleted, the vehicle control program has not been updated normally. Even when the vehicle cannot be controlled, the vehicle can be appropriately controlled by executing the fail-safe control program. For example, the driver can move the vehicle in a safe state. In addition, when the control device is started, the boot program is preferentially executed and it is determined whether the update of the vehicle control program is correct or not. Therefore, if the update cannot be performed normally, the failsafe control of the vehicle is immediately performed. And it can be executed reliably.

  Further, since the capacity of the fail safe control program is smaller than that of the vehicle control program, the capacity of the stored program can be reduced. Furthermore, since the program for fail-safe control aims at fail-safe of the vehicle, the minimum program content necessary for ensuring the movement and safety of the vehicle is sufficient. Even if the capacity is reduced, fail-safe control based on the capacity can be performed without any trouble.

  A vehicle control program update device according to a second aspect of the present invention is mounted on the vehicle V and controls the vehicle V, and acquires the update program PRU and communicates with the control device. A rewritable device 9 configured so as to be capable of being controlled, and the control device is stored in the rewritable area ARP and the non-rewritable area ARIP, the nonvolatile memory (flash ROM 14), and the rewritable area ARP, and normally controls the vehicle V Vehicle control program (normal control program PRN) for storing the boot program PRB stored in the non-rewritable area ARIP and determining whether the vehicle control program has been normally updated or not rewritten It is stored in area ARIP and has a smaller capacity than the vehicle control program. The vehicle control program update means (CPU 15, CPU 15, and) updates the vehicle control program by rewriting the fail-safe control program PRF and the vehicle control program for control with the update program PRU transmitted from the rewriting device 9. 3 and steps 14 and 15 in FIG. 4 and the boot program PRB is executed when the control device is activated, and the vehicle control program is normally updated according to the determination result of the execution. When the vehicle control program is determined to be broken, the vehicle control program is executed. When it is determined that the vehicle control program is not normally updated, the control means (CPU 15, 3 to 5) of FIG.

  In this vehicle control program update device, the control device includes a nonvolatile memory, and the vehicle control program is stored in the rewritable area of the nonvolatile memory. The rewriting device mounted on the vehicle acquires an update program for updating the vehicle control program. The vehicle control program is updated by rewriting the update program transmitted from the rewriting device by the vehicle control program updating means when the control device is operated.

  Similarly to the control device of claim 1, when the control device is started, the boot program stored in the non-rewritable area is preferentially executed, thereby determining whether the update of the vehicle control program is correct or not. When the update is normally performed, the vehicle is normally controlled by executing the vehicle control program. On the other hand, when the vehicle control program is not normally updated, the fail-safe stored in the non-rewritable area is stored. The vehicle is fail-safe controlled by executing the control program. Therefore, as in the first aspect, when the vehicle control program is not normally updated, the failsafe control of the vehicle can be performed immediately and reliably by executing the failsafe control program. For example, even when the vehicle is far from the repair shop, the vehicle can be safely moved to the repair shop.

  Further, as in the case of the first aspect, the capacity of the stored program can be reduced and the fail safe control can be performed without any trouble by reducing the capacity of the fail safe control program.

  Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the drawings. FIG. 1 schematically shows an updating apparatus 1 according to an embodiment of the present invention, together with a vehicle V equipped with an internal combustion engine (hereinafter referred to as “engine”) 3 to which the updating apparatus 1 is applied. The engine 3 is, for example, an inline 4-cylinder gasoline engine having four cylinders 3a (only one is shown). A combustion chamber 3d is formed between the piston 3b and the cylinder head 3c of each cylinder 3a.

  A fuel injection valve (hereinafter referred to as “injector”) 5 and a spark plug 6 are attached to the cylinder head 3c so as to face the combustion chamber 3d. The fuel injection amount and fuel injection timing of the engine 3 are controlled by controlling the valve opening time and valve opening timing of the injector 5 with a drive signal from an ECU 2 (control device) described later. Further, the ignition timing, that is, the discharge timing of the spark plug 6 and the energization time to the spark plug 6 are controlled by controlling the discharge timing of the spark plug 6 with a drive signal from the ECU 2.

  An air flow meter 21 is provided in the intake pipe 4 of the engine 3. The air flow meter 21 detects the intake air amount QA and outputs a detection signal to the ECU 2.

  A water temperature sensor 22 is provided in the engine 3 main body. The water temperature sensor 22 detects the temperature (hereinafter referred to as “engine water temperature”) TW of cooling water circulating in a cylinder block (not shown) of the engine 3 and outputs a detection signal to the ECU 2.

  The ECU 2 has a detection signal indicating the engine speed NE from the engine speed sensor 23, a detection signal indicating the vehicle speed VP from the vehicle speed sensor 24, and an operation amount of an accelerator pedal (not shown) from the accelerator opening sensor 25 (hereinafter referred to as an operation amount). A detection signal indicating AP (referred to as “accelerator opening”), a detection signal indicating a gear of a transmission (not shown) from the position sensor 26, and a detection signal indicating the intake air temperature TA are output from the intake air temperature sensor 27, respectively. Is done.

  The update device 1 is for updating a normal control program PRN (vehicle control program) for normally controlling the vehicle V via the engine 3 and includes an ECU 2 and a rewriting device 9 mounted on the vehicle V. Yes. The ECU 2 and the rewriting device 9 are connected to the battery 8 via the ignition switch 7 and are activated when power is supplied from the battery 8 when the ignition switch 7 is turned on. Note that the rewriting device 9 may be configured separately from the vehicle V.

  The rewriting device 9 is configured to be communicable with the ECU 2, and acquires the update program PRU for updating the normal control program PRN and transmits it to the ECU 2. The rewriting device 9 is loaded with a recording medium (not shown) in which the update program PRU and the like are recorded. The rewriting device 9 reads the update program PRU from the recording medium in units of blocks, thereby acquiring the update program PRU and transmits the acquired update program PRU to the ECU 2 in units of blocks. In addition to the update program PRU, information indicating the ID number of the ECU 2, information indicating the version of the update program PRU, and information indicating the number of blocks of the update program PRU are recorded as ID information on this recording medium. Has been.

  The rewriting device 9 transmits a rewrite signal SRW and ID information to the ECU 2 prior to transmission of the update program PRU. Specifically, when the ignition switch 7 is turned on with the recording medium mounted, the rewrite signal SRW and the ID information read from the recording medium are sequentially transmitted to the ECU 2.

  The ECU 2 includes an I / O interface, a RAM (not shown), a communication interface (shown as “communication I / F”) 11, an EEPROM 12, and a microcomputer 13. The detection signal from 27 is A / D converted and shaped by the I / O interface, and then input to a CPU 15 (to be described later) of the microcomputer 13. The RAM is used as a work area when the CPU 15 performs update processing to be described later.

  The communication interface 11 is for performing CAN communication between the rewrite device 9 and the microcomputer 13, receives the rewrite signal SRW, the ID information, and the update program PRU and transmits them to the microcomputer 13.

  The microcomputer 13 includes the CPU 15 and the flash ROM 14 (nonvolatile memory) described above.

  The flash ROM 14 is of a single port type and includes a rewritable area ARP configured to be rewritable and a non-rewritable area ARIP configured to be rewritable as shown in FIG.

  In the rewritable area ARP, the aforementioned normal control program PRN is stored. The normal control program PRN includes a fuel injection amount control program PRQINJ, a fuel injection timing control program PRTINJ, an ignition timing control program PRTIG, and the like. The fuel injection amount control program PRQINJ and the fuel injection timing control program PRTINJ set the fuel injection amount and the fuel injection timing, respectively. The intake air amount QA, the engine water temperature TW, the intake air temperature TA, etc. for making these settings are set. Each has a predetermined map as a parameter. The ignition timing control program PRTIG sets ignition timing and energization time, and has a predetermined map using the engine speed NE and the like for setting these parameters as parameters.

  The fuel injection amount control program PRQINJ, the fuel injection timing control program PRTINJ, and the ignition timing control program PRTIG are stored in block units in the address space specified by the address assigned to the rewritable area ARP. Is stored in the EEPROM 12.

  Further, in the non-rewritable area ARIP, there are a boot program PRB for determining whether or not the normal control program PRN has been normally updated and a fail safe control program PRF for fail safe control of the engine 3. It is remembered.

  The fail safe control program PRF includes a fuel injection amount control program PRQINF for fail safe control, a fuel injection timing control program PRTINF, an ignition timing control program PRTIGF, and the like. The fuel injection amount control program PRQINF and the fuel injection timing control program PRTINF set the fuel injection amount and the fuel injection timing according to the intake air amount QA, the engine water temperature TW, and the intake air temperature TA, similar to those for the normal control described above. Each of them has a predetermined map. Note that the map for fail-safe control is set to have a smaller number of grid points for the intake air amount QA or the like than the map for normal control. The ignition timing control program PRTIGF has a predetermined map for setting the energization time according to the engine speed NE. This map is set to have a smaller number of grid points with respect to the engine speed NE than the map for normal control. In the ignition timing control program PRTIGF, the ignition timing is set to a fixed value, for example, the most retarded position.

  As described above, in the fail-safe control program PRF, the fail-safe control process is simplified by reducing the number of map grid points for fail-safe control. Accordingly, the fail-safe control program PRF is reduced, and the capacity of the stored program is reduced accordingly.

  The boot program PRB, the fuel injection amount control program PRQINF for fail-safe control, the fuel injection timing control program PRTINF, and the ignition timing control program PRTIGF are in block units in the address space specified by the address assigned to the non-rewritable area ARIP. And each address is stored in the EEPROM 12.

  Further, the EEPROM 12 has ID information received from the rewriting device 9, ID number owned by the ECU 2, version information of the normal control program PRN stored in the rewritable area ARP, and “valid” or “ Information indicating “invalid” is stored, and the version information and the determination code information are updated by the CPU 15. The initial value of the determination code is set to “valid”.

  The CPU 15 executes fuel injection control and ignition timing control of the engine 3 by executing the normal control program PRN or the failsafe control program PRF. Further, the CPU 15 executes the boot program PRB when the ECU 2 is activated, that is, when the ignition switch 7 is turned on. In the present embodiment, the CPU 15 corresponds to a vehicle control program update unit and a control unit.

  FIG. 3 shows a boot process executed by the boot program PRB. This process is executed only once when the ECU 2 is activated while the engine 3 is stopped. In this process, first, in step 1 (illustrated as “S1”, hereinafter the same), it is determined whether or not the rewrite signal SRW is received from the rewrite device 9. If the determination result is YES and a recording medium is loaded in the rewrite device 9, the normal control program PRN is updated (step 2), and then this process is terminated.

  FIG. 4 shows a subroutine for this update process. In this process, first, in step 11, it is determined whether or not the ID number in the ID information received from the rewriting device 9 matches the ID number of the ECU 2. If the determination result is NO, the process proceeds to step 3 in FIG. 3, while if YES, the update of the normal control program PRN is started, and the contents of the normal control program PRN stored in the rewritable area ARP are read. After erasing all (step 12), the determination code stored in the EEPROM 12 is rewritten to “invalid” (step 13).

  Next, the update program PRU is received in block units from the rewrite device 9 (step 14). Next, the received update program PRU is written in block units in the corresponding address space of the rewritable area ARP (step 15). As a result, the normal control program PRN is sequentially updated. Next, it is determined whether or not an abnormality has occurred in updating the normal control program PRN (step 16). Specifically, when a communication abnormality occurs between the ECU 2 and the rewriting device 9 or when the update program PRU is not normally written to the flash ROM 14, it is determined that an update abnormality has occurred. The The latter writing abnormality is determined by performing, for example, verify processing. Specifically, when the received update program PRU and the written update program PRU are compared in units of blocks, the two do not match. Therefore, it is determined that the writing is abnormal.

  When the determination result of step 16 is NO, it is determined whether or not the update of the normal control program PRN is completed (step 17). Specifically, when the number of blocks of the update program PRU received in step 14 matches the number of blocks of the update program PRU stored in the EEPROM 12, it is determined that the update has been completed. When the determination result is NO, the process returns to the step 14, and the processing contents after the step 14 are repeatedly executed.

  On the other hand, when the determination result in step 17 is YES, it is determined that the normal control program PRN has been updated normally, assuming that the update program PRU has been normally written up to the last block. After the determination code is rewritten to “valid” for the purpose of representation (step 18), the present process is terminated. On the other hand, if the determination result in step 16 is YES and it is determined that the update abnormality of the normal control program PRN has occurred, the present process is terminated as it is without updating thereafter. As a result, the determination code is maintained to be “invalid” rewritten in step 13 without being rewritten to “valid”.

  When the update process as described above is completed, the update completion or update abnormality of the normal control program PRN is displayed, and the recording medium is removed from the rewrite device 9 in response to this display. As a result, transmission of the rewrite signal SRW from the rewrite device 9 is stopped. As a result, when the ECU 2 is activated next time, the determination result in Step 1 in FIG. 3 is NO, and in this case, the process proceeds to Step 3.

  In step 3, it is determined whether or not the determination code stored in the EEPROM 12 is “valid”. When the determination result is YES, assuming that the normal control program PRN has been normally updated, the control mode of the engine 3 is set to normal control (step 4), and this process is terminated. When the normal control is set in this way, the normal control of the fuel injection and ignition timing of the engine 3 is executed based on the updated normal control program PRN stored in the rewritable area ARP.

  On the other hand, if the determination result in step 3 is NO and it is determined that an update abnormality of the normal control program PRN has occurred, the control mode of the engine 3 is set to fail-safe control (step 5). Exit. When the fail safe control is set in this way, the fuel safe injection control and the ignition timing fail safe control of the engine 3 are executed based on the fail safe control program PRF stored in the non-rewritable area ARIP.

  As described above, according to the present embodiment, immediately after the ECU 2 is started, the boot program PRB stored in the non-rewritable area ARIP is preferentially executed, and whether or not the normal control program PRN is updated based on the determination code is correct. Is determined. When the update is normally performed, the engine 3 is normally controlled based on the normal control program PRN. On the other hand, when the update of the normal control program PRN is abnormal, the failure stored in the non-rewritable area ARIP is stored. The engine 3 is fail-safe controlled based on the safe control program PRF. Therefore, when the normal control program PRN is not updated normally, fail-safe control of the engine 3 can be performed immediately and reliably, and the vehicle V can be safely moved to the repair shop even when it is far from the repair shop. Can be made.

  Further, the fail-safe control program PRF has a smaller number of map grid points and a smaller capacity than the normal control program PRN, so that the capacity of the stored program can be reduced.

  Next, a modification of the update device 1 will be described with reference to FIG. In this modification, the normal control program PRN can be updated even when the engine 3 is in operation. For this reason, in this modification, a dual port type flash ROM 14 is used so that the fail-safe control program PRF can be read from the flash ROM 14 and the update program PRU can be written to the flash ROM 14 at the same time. .

  Further, the update process shown in FIG. 5 differs from the update process shown in FIG. 4 only in that the fail-safe control of the engine 3 is executed during the update of the normal control program PRN. Specifically, after the rewrite signal SRW is received from the rewrite device 9, when the ID number in the ID information matches the ID number of the ECU 2 (step 11: YES), in step 21, in FIG. As in step 5, the control mode of the engine 3 is set to fail-safe control. Thus, the fuel injection of the engine 3 and the fail safe control of the ignition timing are executed based on the fail safe control program PRF stored in the non-rewritable area ARIP. The subsequent processing contents are the same as in FIG. 4, and all of the normal control program PRN stored in the rewritable area ARP is erased (step 12) and the determination code is rewritten to “invalid” (step 13). The normal control program PRN is updated (steps 14 and 15). When it is determined that the normal control program PRN has been updated normally, the determination code is rewritten to “valid”. After that, when it is determined that an update abnormality has occurred, the determination code is set to “invalid”. This processing is terminated while maintaining the state (steps 16 to 18).

  As described above, according to this modified example, the fail-safe control of the engine 3 is executed while the normal control program PRN is being updated. Therefore, the vehicle V can be moved while the normal control program PRN is being updated. .

  In addition, this invention can be implemented in various aspects, without being limited to the described embodiment. For example, in the embodiment, the update control program for controlling the update of the normal control program PRN (the program for executing the update process of FIG. 4 or 5) is incorporated in the boot program PRB. It may be configured separately, in which case it is stored in the non-rewritable area of the flash ROM or in the EEPROM.

  In the embodiment, the update target by the update device 1 is an example of a control program for the engine 3. However, the present invention is not limited thereto, and a control program other than the engine for controlling the vehicle V, such as a transmission control program, A program for displaying meter information may be used. The fail-safe control program in this case is, for example, configured to shift the transmission gear to the second speed or the fourth speed according to the vehicle speed, and the latter is a minimum for driving the vehicle. It is configured to display only the required vehicle speed, gear stage and failure information. Alternatively, the present invention may be applied to a throttle valve control program, in which case the fail-safe control program is configured to control the throttle valve between a fully closed position and a half-open position, for example, according to the accelerator opening. .

  Further, in the embodiment, when the ID numbers match, the normal control program PRN is updated. In addition, the version information transmitted from the rewriting device 9 and the version information stored in the EEPROM 12 are compared. The normal control program PRN may be updated when the version information from the rewriting device 9 is newer.

  In the embodiment, the update program PRN is acquired by the rewrite device 9 via a recording medium attached to and detached from the rewrite device 9, but may be acquired by other appropriate means, for example, wireless communication.

  Further, in the embodiment, the update of the normal control program PRN is immediately interrupted when the update abnormality occurs once. However, after the update abnormality occurs, the update operation is repeated, and the occurrence of the update abnormality is performed a predetermined number of times. It may be interrupted when confirmed.

  In the embodiment, the addresses of the normal control program PRN and the failsafe control program PRF are stored in the EEPROM 12, but the present invention is not limited thereto, and may be incorporated in, for example, a boot program. Furthermore, in the embodiment, the RAM is used as the work area during the update process, but a flash ROM may be used.

  The embodiment is an example in which the present invention is applied to a vehicle equipped with an engine. However, the present invention is not limited to this, and the present invention is not limited to this. You may apply. In addition, it is possible to appropriately change the detailed configuration within the scope of the gist of the present invention.

It is a figure which shows roughly the update apparatus of this invention with the vehicle carrying the internal combustion engine to which this is applied. It is a block diagram which shows the structure of flash ROM. It is a flowchart which shows the boot process performed with a boot program. This is a subroutine for updating the normal control program. It is a subroutine which shows the modification of the update process of the program for normal control.

Explanation of symbols

1 Update Device 2 ECU (Control Device)
9 Rewriting device 14 Flash ROM (nonvolatile memory)
15 CPU (vehicle control program update means and control means)
V vehicle ARP rewritable area ARIP non-rewritable area PRB boot program PRU update program PRN normal control program (vehicle control program)
Program for PRF fail-safe control

Claims (2)

A non-volatile memory having a rewritable area and a non-rewritable area;
A vehicle control program stored in the rewritable area for normal control of the vehicle;
A boot program that is stored in the non-rewritable area and for determining whether or not the vehicle control program has been successfully updated;
A program for fail-safe control that is stored in the non-rewritable area and has a capacity smaller than the program for vehicle control, and for fail-safe control of the vehicle;
Vehicle control program updating means for updating the vehicle control program;
The boot program is executed when the control device is activated, and the vehicle control program is executed when it is determined that the update of the vehicle control program is normally performed according to the determination result of the execution. And, when it is determined that the update of the vehicle control program is not normally performed, control means for executing the fail-safe control program;
A vehicle control apparatus comprising: A vehicle control device for controlling the vehicle;
A rewriting device mounted on the vehicle and acquiring an update program and configured to be communicable with the control device;
The controller is
A non-volatile memory having a rewritable area and a non-rewritable area;
A vehicle control program stored in the rewritable area for normally controlling the vehicle;
A boot program that is stored in the non-rewritable area and for determining whether or not the vehicle control program has been successfully updated;
A program for fail-safe control that is stored in the non-rewritable area and has a capacity smaller than the program for vehicle control, and for fail-safe control of the vehicle;
Vehicle control program update means for updating the vehicle control program by rewriting the vehicle control program with the update program transmitted from the rewriting device;
The boot control program is executed when the control device is activated, and the vehicle control program is executed when it is determined that the update of the vehicle control program is normally performed according to the determination result of the execution. Updating the vehicle control program, comprising: control means for executing the fail-safe control program when it is determined that the vehicle control program is not normally updated. apparatus.

Images